b'             EVALUATION REPORT\n\n\n Information Security Risk Evaluation of Region IV \xe2\x80\x93 Arlington, TX\n\n\n               OIG-13-A-07 December 20, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                  WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n\n\n                                                   December 20, 2012\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    INFORMATION SECURITY RISK EVALUATION OF\n                            REGION IV \xe2\x80\x93 ARLINGTON, TX (OIG-13-A-07)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) evaluation report titled,\nInformation Security Risk Evaluation of Region IV \xe2\x80\x93 Arlington, TX.\n\nThe report presents the results of the subject evaluation. The agency agreed with the\nevaluation findings at the September 21, 2012, exit conference, and provided comments\nwhich were incorporated, as appropriate, into this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5911.\n\nAttachment: As stated\n\x0c                         Information Security Risk Evaluation of\n                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n                               Contract Number: GS-00F-0001N\n                               NRC Order Number: D12PD01191\n\n                                                 December 17, 2012\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General tasked\n      Richard S. Carson & Associates, Inc., to perform an information security risk evaluation\n      of NRC\xe2\x80\x99s regional offices and the Technical Training Center. This report presents the\n      results of the information security risk evaluation for the Region IV office, which is\n      located in Arlington, Texas.\n\nOBJECTIVES\n\n      The Region IV information security risk evaluation objectives were to:\n\n             Perform an independent information security risk evaluation of the NRC\n             information technology (IT) security program, policies, and practices for\n             compliance with the Federal Information Security Management Act (FISMA) of\n             2002 in accordance with Office of Management and Budget guidance and Federal\n             regulations and guidelines as implemented at Region IV.\n             Evaluate the effectiveness of agency security control techniques as implemented\n             at Region IV.\n\nRESULTS IN BRIEF\n\n      Region IV has made improvements in its implementation of NRC\xe2\x80\x99s IT security program\n      and practices for NRC IT systems since the previous evaluations in 2003, 2006, and\n      2009. All corrective actions from the previous evaluations have been implemented.\n      However, the Region IV IT security program and practices are not always consistent with\n      NRC\xe2\x80\x99s IT security program, as summarized below.\n\n      Continuity of Operations and Recovery\n\n      Backup procedures are inadequate. Specifically, backup procedures are not maintained\n      and kept up-to-date and backups of NRC-managed servers are not sent to an offsite\n      storage location. As a result, Region IV may not have reliable IT system backup\n      information available if there is a need for system or file recovery.\n\n      IT Security Program\n\n      Some NRC-owned laptops do not have a current authority to operate. As a result, Region\n      IV is not fully compliant with NRC requirements for laptop systems. The Region IV\n      physical security plan is not up-to-date. As a result, steps or processes could be skipped\n      or forgotten if personnel responsible for a particular activity are unavailable. In addition,\n      outdated procedures make it more difficult when training new personnel to handle a\n      specific activity.\n\n\n                                                i\n\x0c                                                               Information Security Risk Evaluation of\n                                                                            Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s IT security program and implementation of FISMA at Region IV. A consolidated\n     list of recommendations appears on page 11 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference on September 21, 2012, agency officials agreed with the findings\n     and provided comments which were incorporated, as appropriate, into this report. The\n     agency opted not to submit formal comments.\n\n\n\n\n                                             ii\n\x0c                                                       Information Security Risk Evaluation of\n                                                                    Region IV \xe2\x80\x93 Arlington, TX\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nATO          Authority to Operate\nCSO-STD      Computer Security Office Standard\nFISMA        Federal Information Security Management Act\nISSO         Information Systems Security Officer\nIT           Information Technology\nMD           Management Directive\nNIST         National Institute of Standards and Technology\nNRC          Nuclear Regulatory Commission\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPG           Policy Guide\nSGI          Safeguards Information\nSP           Special Publication\n\n\n\n\n                                     iii\n\x0c                                  Information Security Risk Evaluation of\n                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                       Information Security Risk Evaluation of\n                                                                                                    Region IV \xe2\x80\x93 Arlington, TX\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objectives ................................................................................................................. 2\n3 Findings .................................................................................................................... 2\n  3.1 Continuity of Operations and Recovery ........................................................ 3\n            3.1.1 Region IV Servers ........................................................................................... 3\n            FINDING #1: Backup Procedures Are Inadequate ...................................................................... 3\n            3.1.2 Server Administration Requirements............................................................ 3\n            3.1.3 Agency Has Not Fully Met Requirements ..................................................... 4\n            3.1.4 Potential Risk of Server Unavailability or Data Loss ................................... 4\n    3.2     Information Technology Security Program ................................................... 5\n            3.2.1 Region IV Laptop Systems ............................................................................ 5\n            FINDING #2: Some Laptops Do Not Have a Current Authority To Operate ............................. 6\n            3.2.2 Laptop System Requirements ....................................................................... 6\n            3.2.3 Agency Has Not Fully Met Requirements ..................................................... 7\n            3.2.4 Regional Procedures and Instructions ......................................................... 7\n            FINDING #3: Region IV Physical Security Plan Is Not Up-to-Date .......................................... 8\n            3.2.5 Requirements for Updating Procedures ....................................................... 8\n            3.2.6 Agency Has Not Fully Met Requirements ..................................................... 8\n            3.2.7 Impact on Region IV Operations ................................................................... 9\n4 Consolidated List of Recommendations ............................................................. 11\n5 Agency Comments ................................................................................................ 13\n\nAppendix.               OBJECTIVES, SCOPE, AND METHODOLOGY ......................................... 15\n\n\n\n\n                                                               v\n\x0c                                  Information Security Risk Evaluation of\n                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                               Information Security Risk Evaluation of\n                                                                                            Region IV \xe2\x80\x93 Arlington, TX\n\n\n1       Background\n\nThe U.S. Nuclear Regulatory Commission (NRC) has four regional offices that conduct\ninspection, enforcement, investigation, licensing, and emergency response programs for nuclear\nreactors, fuel facilities, and materials licensees. The regional offices are the agency\xe2\x80\x99s front line\nin carrying out its mission and implementing established agency policies and programs\nnationwide. The Region IV office oversees regulatory activities in the western and southern\nmidwestern United States; is located in Arlington, Texas; and operates under the direction of a\nRegional Administrator. The region covers a 22-State area, including 9 States with nuclear\npower plants, as well as the U.S. Pacific territories. Region IV also oversees the Grand Gulf\nNuclear Station in Mississippi, which is located in Region II.\n\nOffice of Management and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nagencies to implement and maintain an information technology (IT) security program, including\nthe preparation of policies, standards, and procedures. An effective IT security program is an\nimportant managerial responsibility. Management establishes a positive climate by making\ncomputer security a part of the information resources management process and providing support\nfor a viable IT security program.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002. 1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or an independent external auditor.3\n\nNRC maintains an IT security program to provide appropriate protection of information\nresources. In this regard, the role of the NRC OIG is to provide oversight of agency programs,\nincluding the IT security program in support of the NRC goal to ensure the safe use of\nradioactive materials for beneficial civilian purposes while protecting people and the\nenvironment.\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term IT security program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility\xe2\x80\xa6.\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\nIn support of its FISMA obligations, the NRC OIG tasked Richard S. Carson & Associates, Inc.,\nto perform an information security risk evaluation of NRC\xe2\x80\x99s regional offices and the Technical\nTraining Center to evaluate IT security programs in place at those locations, to include an\nassessment of potential physical security weaknesses, and to identify existing problems and\nmake recommendations for corrective actions.\n\nThe information security risk evaluation focused on the following elements of NRC\xe2\x80\x99s IT security\nprogram, policies, and practices:\n\n       Physical and Environmental Security Controls.\n       Logical Access Controls.\n       Configuration Management.\n       Continuity of Operations and Recovery.\n       IT Security Program.\n\nThis report presents the results of the information security risk evaluation for Region IV. A\nconsolidated list of recommendations appears on page 11.\n\n2      Objectives\n\nThe Region IV information security risk evaluation objectives were to:\n\n       Perform an independent information security risk evaluation of the NRC IT security\n       program, policies, and practices for compliance with FISMA in accordance with OMB\n       guidance and Federal regulations and guidelines as implemented at Region IV.\n       Evaluate the effectiveness of agency security control techniques as implemented at\n       Region IV.\n\nThe report appendix contains a description of the evaluation objectives, scope, and methodology.\n\n3      Findings\n\nRegion IV has made improvements in its implementation of NRC\xe2\x80\x99s IT security program and\npractices for NRC IT systems since the previous evaluations in 2003, 2006, and 2009. All\ncorrective actions from the previous evaluations have been implemented. However, the Region\nIV IT security program and practices are not always consistent with NRC\xe2\x80\x99s IT security program\nas defined in Management Directive (MD) and Handbook 12.5, NRC Automated Information\nSystems Security Program; other NRC policies; FISMA; and National Institute of Standards and\nTechnology (NIST) guidance. While many of the Region IV automated and manual IT security\ncontrols are generally effective, some IT security controls need improvement. Specifics on\ncontinuity of operations and recovery and the Region IV IT security program are described in the\nfollowing sections.\n\n\n\n\n                                                2\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\n3.1    Continuity of Operations and Recovery\n\nRegion IV procedures for maintaining continuity of operations and recovery are generally\nconsistent with the requirements in MD and Handbook 12.1, NRC Facility Security Program;\nMD and Handbook 12.5; and NIST Special Publication (SP) 800-53, Recommended Security\nControls for Federal Information Systems. Region IV has documented backup procedures for\nseat-managed servers and Region IV has developed a site-specific Occupant Emergency Plan.\n\nHowever, the evaluation team found that backup procedures are inadequate. Specifically,\nbackup procedures are not maintained and kept up-to-date and backups of NRC-managed servers\nare not sent to an offsite storage location. As a result, Region IV may not have reliable IT\nsystem backup information available if there is a need for system or file recovery.\n\n3.1.1 Region IV Servers\n\nRegion IV is supported by IT equipment that is both seat-managed and NRC-managed. Core\nregional servers are provided and managed by the seat management contractor and include\ndomain controllers, mail servers, multipurpose servers, a tape server, and virtual servers. Seat-\nmanaged servers are included in the authorization boundary of the IT Infrastructure system.\nAdditional regional servers are owned and managed by Region IV and include Web servers,\napplication servers, and servers supporting the Region IV phone system. NRC-managed servers\nat Region IV are currently not included in any authorization boundary.\n\nFINDING #1: Backup Procedures Are Inadequate\n\nMD and Handbook 12.5, NRC standards, and NIST SP 800-53 detail requirements for certain\naspects of server administration, including backups of IT systems. However, Region IV has not\nmet all the requirements. Specifically, backup procedures are not maintained and kept up-to-date\nand backups of NRC-managed servers are not sent to an offsite storage location. As a result,\nRegion IV may not have reliable IT system backup information available if there is a need for\nsystem or file recovery.\n\n3.1.2 Server Administration Requirements\n\nMD and Handbook 12.5 detail requirements for backups of IT systems, and states that these\nprocedures should be implemented when backing up media to ensure that reliable backups are\navailable if there is a need for system or file recovery. These procedures include, but are not\nlimited to:\n\n       Backup schedule \xe2\x80\x93 outlines the type of backup, the interval for each backup, the storage\n       location, and the number of copies of each backup.\n       Full backups \xe2\x80\x93 performed at least weekly.\n       Incremental (differential) backups \xe2\x80\x93 performed nightly.\n       Location of backups \xe2\x80\x93 at least two full backups maintained. One should remain onsite\n       and a second copy should be removed to an offsite storage facility immediately after its\n       creation.\n\n\n                                                3\n\x0c                                                                                  Information Security Risk Evaluation of\n                                                                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n           Backup media \xe2\x80\x93 use high-quality media to ensure good quality backups are available for\n           recovery should the need arise.\n           Storage of backups \xe2\x80\x93 store both onsite and offsite backups in a location, cabinet, or safe\n           that is waterproof and fireproof for at least 14 days or as recommended by the agency.\n           Testing of storage \xe2\x80\x93 backups are periodically tested to ensure they can be used effectively\n           to restore sensitive information.\n\nNRC Computer Security Office Standard (CSO-STD) 2002, System Back-up Standard, V1.1,\ndated December 15, 2010, states backup and recovery procedures are to be developed,\ndocumented, approved, maintained, and used for all systems operated by or on behalf of NRC.\n\nNRC CSO-STD-2001, Operating Procedures Standard, V1.1, dated April 15, 2011, states that\ndocumented and periodically reviewed operational procedures and responsibilities capture the\nrequirements for secure operation of information systems and effective management and support\nof IT systems. This standard requires system owners to ensure operating procedures are\nreviewed and approved on a periodic basis, at least annually.\n\n3.1.3 Agency Has Not Fully Met Requirements\n\nThe Region IV seat-management contractor has developed backup procedures for seat-managed\nservers in Region IV. These procedures are documented in \xe2\x80\x9cBackup Procedures,\xe2\x80\x9d last revised\nApril 2, 2012. The seat-management contractor is only responsible for performing backups of\nseat-managed servers. While Region IV has developed and documented required backup\nprocedures, the procedures do not reflect the server infrastructure currently in place in Region\nIV. For example, the backup procedures include a list of seat-managed servers covered by the\ndocument; however, this list includes two servers that are not found in the actual backup job run\nby the backup software. There are also two servers in the actual backup job that are not\nreferenced in the documented backup procedures. The backup procedures also still include a\nreference to the previous seat-management contractor. The seat-management contract was\ntransitioned to the current contractor in December 2011. In addition, the current seat-\nmanagement contractor creates a Ghost4 image of every server at least once a month, and\nwhenever significant changes are made. However, procedures for creating Ghost images,\nincluding where those images are stored, are not documented.\n\nNRC staff in Region IV is responsible for performing backups of NRC-managed servers. Data\non NRC-managed servers is backed up to network attached storage. However, these procedures\nare not documented. In addition, backups of NRC-managed servers are not sent to an offsite\nstorage location.\n\n3.1.4 Potential Risk of Server Unavailability or Data Loss\n\nWhile the backup procedures that are currently implemented should minimize data loss in the\nevent of a computer failure, the procedures for the seat-managed servers are not up-to-date and\n\n4\n    Ghost (general hardware-oriented system transfer) is a software product that creates full system (disk image)\n    backups.\n\n\n                                                            4\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\nthere are no procedures for the NRC-managed servers. Software performs many of the backups\nautomatically, but someone must ensure the backup jobs include all required servers and run\nwithout errors. The procedures need to be documented and current so that if the primary\npersonnel responsible for server administration are not available, alternates have the information\nnecessary to follow the procedures. Current procedures can also be useful when training new\nemployees with responsibilities for server administration. Backups need to be sent to an offsite\nstorage location to allow for recovery from situations in which the primary facility is damaged or\ninaccessible. As a result, Region IV may not have reliable IT system backup information\navailable if there is a need for system or file recovery.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Update the backup procedures for seat-managed servers to (i) reflect the current Region\n         IV seat-managed server infrastructure; (ii) document current backup procedures for seat-\n         managed servers; (iii) document procedures for creating Ghost images, including where\n         those images are stored; (iv) define the schedule for creating Ghost images; (v) correct\n         references to current seat-management contractor; and (vi) correct any other sections\n         impacted by the changes to the server infrastructure or the transition to the new seat-\n         management contractor.\n      2. Develop documented backup procedures for NRC-managed servers. The procedures\n         should include the same level of detail as the backup procedures for seat-managed\n         servers.\n      3. Develop and implement procedures for sending backups of NRC-managed servers to an\n         offsite storage location in accordance with NRC requirements.\n\n3.2      Information Technology Security Program\n\nOverall, Region IV is following agency security policies and procedures regarding IT security.\nRegion IV has developed regional policy guides that are generally up-to-date and are available\non the Region IV internal Web site. Staff receive training regarding IT security during new\nemployee orientation and receive a copy of the Employee IT User Manual, which includes a\nsection on computer security, and the Information Systems Security Officer (ISSO) sends\nperiodic cybersecurity reminders via e-mail on topics such as safe online shopping and phishing.\nUsers are generally aware of and are following agency and Region IV IT security policies and\nprocedures.\n\nHowever, the evaluation team found issues with the Region IV laptop systems and with keeping\nRegion IV IT security program procedures up-to-date.\n\n3.2.1 Region IV Laptop Systems\n\nLaptops in use at Region IV are either seat-managed laptops or NRC-owned laptops. Seat-\nmanaged laptops in use at Region IV include those laptops that are part of the agency\xe2\x80\x99s new\nworking from anywhere/mobile desktop program. NRC-owned laptops in use at Region IV\n\n\n                                                 5\n\x0c                                                                    Information Security Risk Evaluation of\n                                                                                 Region IV \xe2\x80\x93 Arlington, TX\n\n\ninclude loaner laptops, laptops in conference rooms and training rooms, and laptops used to\nprocess safeguards information (SGI).\n\nFINDING #2: Some Laptops Do Not Have a Current Authority To Operate\n\nThe NRC Laptop Security Policy, which specifies the requirements for authorization of laptop\nsystems, states that all NRC laptops must be either designated a system or included as part of an\nexisting system. NRC-owned laptops in use at Region IV include loaner laptops, laptops in\nconference rooms and training rooms, and laptops used to process SGI. However, the evaluation\nteam found that some NRC-owned laptops do not have a current authority to operate (ATO). As\na result, Region IV is not fully compliant with NRC requirements for laptop systems.\n\n3.2.2 Laptop System Requirements\n\nThe NRC Laptop Security Policy states that all NRC laptops must either be designated a system\nor be included as part of an existing system. All laptops that are not seat-managed are\nconsidered to be organization-managed, i.e., NRC-owned. All NRC-owned laptops that process\nor access classified national security information belong to that office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified\nLaptop System.\xe2\x80\x9d All NRC-owned laptops that process or access SGI and are not part of the\noffice\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System.\xe2\x80\x9d\nAll NRC-owned laptops that are not part of the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d\nor the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cGeneral Laptop\nSystem.\xe2\x80\x9d\n\nThe NRC Laptop Security Policy also specifies the following requirements for authorization\n(formerly referred to as accreditation):\n\n       Laptop systems must meet the requirements provided in the relevant standard security\n       plan. There is a different standard security plan for classified, SGI, and general laptops.\n       Laptop systems must be certified by the system owner as compliant with the relevant\n       laptop system requirements.\n       Laptop systems must be accredited by the appropriate Designated Approving Authority\n       prior to processing any relevant (i.e., classified, SGI, sensitive unclassified) information\n       on the system.\n       Certification of a laptop system requires a system certification memorandum from the\n       laptop system owner. The memorandum must include an enclosure that provides the\n       names and contact information for the System Owner, Certification Agent, ISSO,\n       Alternate ISSO, and System Administrator.\n       For each laptop or removable hard drive that is part of the laptop system, the enclosure\n       must provide information such as physical storage location, location where system is\n       used, brand, model, tag number, peripherals, etc.\n\n\n\n\n                                                 6\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\n3.2.3 Agency Has Not Fully Met Requirements\n\nRegion IV has not established a general laptop system, which would include their loaner laptops\nand laptops found in conference rooms and training rooms. In addition, Region IV has one SGI\nlaptop (and four standalone desktops) still on the NRC inventory of systems and a system called\nthe Region IV SGI Automated Inventory System. The NRC inventory indicates five of these\nsystems have an authorization to operate that expired in March 2009 and the Region IV SGI\nAutomated Inventory System never had an authorization to operate. During the site visit to\nRegion IV, the evaluation team was unable to determine whether any of the SGI systems on the\nNRC inventory were still in use and therefore should be covered under a Region IV SGI laptop\nsystem with a current ATO. Subsequent to the site visit, Region IV informed the evaluation\nteam that SGI laptops and standalone desktops are no longer in use and are in the process of\nbeing decommissioned. Therefore, there is no need for Region IV to establish a Region IV SGI\nlaptop system to cover these systems.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Establish a general laptop system and complete the process described in the NRC Laptop\n      Security Policy for authorization of the general laptop system.\n\n3.2.4 Regional Procedures and Instructions\n\nRegion IV uses regional office policy guides and notices to inform the staff of regional policies,\nprocedures, and guidance, including those specific to the Region IV IT security program. Policy\nguides contain instructions, policies, procedures, or guidance intended to be of a permanent\nnature, remain in effect until they are revised or cancelled, and must be updated within 3 years of\nthe date of issuance to ensure all information remains current. Regional notices contain\ninformation of a temporary nature and are intended to keep the staff informed, but do not\nestablish comprehensive policy for the staff to follow. All notices contain an expiration date that\ndoes not exceed 6 months from the date of issuance. For both policy guides and notices, the\noriginating division is responsible for ensuring their assigned documents are current.\n\nThe following are some examples of regional policy guides specific to the Region IV IT security\nprogram:\n\n       Policy Guide (PG) 0754.2, Physical Security Plan, dated August 30, 2011 \xe2\x80\x93 describes the\n       policies, procedures, and responsibilities for assuring protection of information, property\n       and employees at Region IV.\n       PG 0253-5, Computer User\xe2\x80\x99s Guide, dated April 19, 2012 \xe2\x80\x93 establishes guidelines for\n       maintaining computer security and the general use of government computer resources in\n       Region IV.\n       PG 0759.3, Region IV Security Program, dated January 19, 2011 \xe2\x80\x93 establishes the overall\n       structure and policy for all elements of the Region IV security programs.\n\n\n\n                                                 7\n\x0c                                                                                  Information Security Risk Evaluation of\n                                                                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\nFINDING #3: Region IV Physical Security Plan Is Not Up-to-Date\n\nNRC has developed several security standards that specify the frequency of reviewing and\nupdating IT security program procedures. However, the Region IV physical security plan is not\nup-to-date. As a result, steps or processes could be skipped or forgotten if personnel responsible\nfor a particular activity are unavailable. In addition, outdated procedures make it more difficult\nwhen training new personnel to handle a specific activity.\n\n3.2.5 Requirements for Updating Procedures\n\nNRC CSO-STD-0020, Organization Defined Values for System Security Controls, Revision 1.1,\ndated July 1, 2012, defines the mandatory values for specific controls in the 18 security control\nfamilies described in NIST SP 800-53. The standard requires that documented procedures to\nfacilitate the implementation of a control should be reviewed and updated annually. The\nstandard also requires system owners to review system security plans at least annually and\nupdate them to address changes to the information system and/or environment of operation.\nNRC CSO-STD-2001 states that documented and periodically reviewed operational procedures\nand responsibilities capture the requirements for secure operation of information systems and\neffective management and support of IT systems. This standard requires system owners to\nensure operating procedures are reviewed and approved on a periodic basis, at least annually.\n\nPG 0001.11, RIV Policy Guide and Office Notice System, dated January 9, 2006, describes the\nsystem for initiating, revising, and deleting regional office policy guides and notices. PG\n0001.11 requires policy guides to be updated within 3 years of the date of issuance to ensure all\ninformation remains current.\n\n3.2.6 Agency Has Not Fully Met Requirements\n\nRegion IV has developed several regional policy guides specific to the Region IV IT security\nprogram. However, the evaluation team found that the Region IV physical security plan is not\nup-to-date. For example, several sections need to be updated to reflect the new office location.\nRegion IV moved from 612 East Lamar Boulevard to 1600 East Lamar Boulevard in December\n2011. The document also does not describe the current access control procedures for visitors.\nSome of the functions described in this document are now performed by the security guards5 and\na different form is used for visitor registration. This document is being updated and is currently\nunder review with headquarters and Region IV executives. However, Region IV has not\nestablished a target completion date for the update.\n\nPG 0001.11 requires policy guides to be updated within 3 years of the date of issuance to ensure\nall information remains current. However, per NRC security standards, some procedures require\nmore frequent review and update \xe2\x80\x93 at least annually for documented procedures to facilitate the\nimplementation of security controls in the 18 security control families described in NIST SP 800-\n53 and for operational procedures that capture the requirements for secure operation of\ninformation systems and for effective management and support of IT systems.\n\n\n5\n    Region IV contracts through the Federal Protective Service for security guard services.\n\n\n                                                            8\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\n3.2.7 Impact on Region IV Operations\n\nOutdated procedures can result in steps or processes being skipped or forgotten if personnel\nresponsible for a particular activity are unavailable. In addition, outdated procedures make it\nmore difficult when training new personnel to handle a specific activity. Current procedures\nensure continuity in performing a specific IT security function in the event of staff turnover and\nare excellent for training new personnel and an excellent reference for existing personnel.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   5. Update PG 0754.2, Physical Security Plan, to reflect the new office location, describe the\n      current access control procedures for visitors, and describe functions now performed by\n      the security guards.\n   6. Update PG 0001.11, RIV Policy Guide and Office Notice System, to specify which\n      regional policy guides require annual review and update.\n\n\n\n\n                                                 9\n\x0c                                  Information Security Risk Evaluation of\n                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              10\n\x0c                                                                  Information Security Risk Evaluation of\n                                                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update the backup procedures for seat-managed servers to (i) reflect the current Region\n       IV seat-managed server infrastructure; (ii) document current backup procedures for seat-\n       managed servers; (iii) document procedures for creating Ghost images, including where\n       those images are stored; (iv) define the schedule for creating Ghost images; (v) correct\n       references to current seat-management contractor; and (vi) correct any other sections\n       impacted by the changes to the server infrastructure or the transition to the new seat-\n       management contractor.\n    2. Develop documented backup procedures for NRC-managed servers. The procedures\n       should include the same level of detail as the backup procedures for seat-managed\n       servers.\n    3. Develop and implement procedures for sending backups of NRC-managed servers to an\n       offsite storage location in accordance with NRC requirements.\n    4. Establish a general laptop system and complete the process described in the NRC Laptop\n       Security Policy for authorization of the general laptop system.\n    5. Update PG 0754.2, Physical Security Plan, to reflect the new office location, describe the\n       current access control procedures for visitors, and describe functions now performed by\n       the security guards.\n    6. Update PG 0001.11, RIV Policy Guide and Office Notice System, to specify which\n       regional policy guides require annual review and update.\n\n\n\n\n                                               11\n\x0c                                  Information Security Risk Evaluation of\n                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              12\n\x0c                                                              Information Security Risk Evaluation of\n                                                                           Region IV \xe2\x80\x93 Arlington, TX\n\n\n5   Agency Comments\n\n    At an exit conference on September 21, 2012, agency officials agreed with the findings\n    and provided comments which were incorporated, as appropriate, into this report. The\n    agency opted not to submit formal comments.\n\n\n\n\n                                           13\n\x0c                                  Information Security Risk Evaluation of\n                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              14\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                Region IV \xe2\x80\x93 Arlington, TX\n\n\nAppendix.         OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES\n\nThe Region IV information security risk evaluation objectives were to:\n\n        Perform an independent information security risk evaluation of the NRC IT security\n        program, policies, and practices for compliance with FISMA in accordance with OMB\n        guidance and Federal regulations and guidelines as implemented at Region IV.\n        Evaluate the effectiveness of agency security control techniques as implemented at\n        Region IV.\n\nSCOPE\n\nThe scope of this information security risk evaluation included:\n\n        The four floors Region IV occupies at 1600 E. Lamar Boulevard, Arlington, Texas\n        76011-4511.\n        Region IV seat-managed equipment.\n        Region IV NRC-managed equipment.\n\nThe information security risk evaluation did not include controls related to the management of\nsafeguards or classified information.\n\nThe evaluation work was conducted during a site visit to Region IV in Arlington, TX, between\nSeptember 17, 2012, and September 21, 2012. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible. Throughout the\nevaluation, evaluators were aware of the potential for fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted a high-level, qualitative evaluation of the NRC\nIT security program, policies, and practices as implemented at Region IV, and evaluated the\neffectiveness of agency security control techniques as implemented at Region IV.\n\nIn conducting the information security risk evaluation, the following areas were reviewed:\nphysical and environmental security controls, logical access controls, configuration management,\ncontinuity of operations and recovery, and IT security program. Specifically, the evaluation\nteam conducted site surveys of the four floors Region IV occupies at 1600 E. Lamar Boulevard,\nArlington, Texas 76011-4511, focusing on the areas that house IT equipment. The team\nconducted interviews with the Region IV ISSO, the seat-management server administrator, the\nRegion IV server administrator, and other Region IV staff members responsible for\nimplementing the agency\xe2\x80\x99s IT security program at Region IV. The evaluation team also\nconducted user interviews with 14 Region IV employees, including two Resident Inspectors and\ntwo teleworkers. The team reviewed documentation provided by Region IV including floor\n\n\n\n                                                15\n\x0c                                                                  Information Security Risk Evaluation of\n                                                                               Region IV \xe2\x80\x93 Arlington, TX\n\n\nplans, inventories of hardware and software, local policies and procedures, security plans,\nbackup procedures, contingency plans, and the Occupancy Emergency Plan. The information\nsecurity risk evaluation also included a network vulnerability assessment scan of the Region IV\nnetwork and the Region IV Resident Inspector sites.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       NRC MD and Handbook 12.5, NRC Automated Information Security Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe work was conducted by Jane M. Laroussi, CISSP, CAP, GIAC ISO-17799, and Diane\nReilly, from Richard S. Carson & Associates, Inc.\n\n\n\n\n                                               16\n\x0c'